Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Malware Detection in Docker Containers: An Image is Worth a Thousand Logs

Akis Nousias, Efklidis Katsaros, Evangelos Syrmos, Panagiotis Radoglou-Grammatikis, Thomas Lagkas, Vasileios Argyriou, Ioannis Moscholios, Evangelos Markakis, Sotirios Goudos, Panagiotis Sarigiannidis

TL;DR

This work tackles malware detection in Docker containers by treating the container filesystem as a large RGB image derived from tarballs and applying a streaming, patch-based CNN under a MIL-inspired framework. The authors release the Compromised Software Containers (COSOCO) image dataset (3,364 images) and provide a scalable data-generation pipeline supporting multiple OS and CPU architectures. Their experiments show that a ResNet18-based detector achieves the best F1 score among tested models and outperforms VirusTotal engines, while offering patch-level explanations and enabling early exit during inference. The approach paves the way for end-to-end container security with interpretable indications of compromised bytes, potentially improving practical malware attestation for containerized environments.

Abstract

Malware detection is increasingly challenged by evolving techniques like obfuscation and polymorphism, limiting the effectiveness of traditional methods. Meanwhile, the widespread adoption of software containers has introduced new security challenges, including the growing threat of malicious software injection, where a container, once compromised, can serve as entry point for further cyberattacks. In this work, we address these security issues by introducing a method to identify compromised containers through machine learning analysis of their file systems. We cast the entire software containers into large RGB images via their tarball representations, and propose to use established Convolutional Neural Network architectures on a streaming, patch-based manner. To support our experiments, we release the COSOCO dataset--the first of its kind--containing 3364 large-scale RGB images of benign and compromised software containers at https://huggingface.co/datasets/k3ylabs/cosoco-image-dataset. Our method detects more malware and achieves higher F1 and Recall scores than all individual and ensembles of VirusTotal engines, demonstrating its effectiveness and setting a new standard for identifying malware-compromised software containers.

Malware Detection in Docker Containers: An Image is Worth a Thousand Logs

TL;DR

This work tackles malware detection in Docker containers by treating the container filesystem as a large RGB image derived from tarballs and applying a streaming, patch-based CNN under a MIL-inspired framework. The authors release the Compromised Software Containers (COSOCO) image dataset (3,364 images) and provide a scalable data-generation pipeline supporting multiple OS and CPU architectures. Their experiments show that a ResNet18-based detector achieves the best F1 score among tested models and outperforms VirusTotal engines, while offering patch-level explanations and enabling early exit during inference. The approach paves the way for end-to-end container security with interpretable indications of compromised bytes, potentially improving practical malware attestation for containerized environments.

Abstract

Malware detection is increasingly challenged by evolving techniques like obfuscation and polymorphism, limiting the effectiveness of traditional methods. Meanwhile, the widespread adoption of software containers has introduced new security challenges, including the growing threat of malicious software injection, where a container, once compromised, can serve as entry point for further cyberattacks. In this work, we address these security issues by introducing a method to identify compromised containers through machine learning analysis of their file systems. We cast the entire software containers into large RGB images via their tarball representations, and propose to use established Convolutional Neural Network architectures on a streaming, patch-based manner. To support our experiments, we release the COSOCO dataset--the first of its kind--containing 3364 large-scale RGB images of benign and compromised software containers at https://huggingface.co/datasets/k3ylabs/cosoco-image-dataset. Our method detects more malware and achieves higher F1 and Recall scores than all individual and ensembles of VirusTotal engines, demonstrating its effectiveness and setting a new standard for identifying malware-compromised software containers.

Paper Structure

This paper contains 25 sections, 4 equations, 3 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Background & Related Work
  3. Malware Detection Overview
  4. Deep Learning Malware Detection
  5. Proposed Method
  6. Image Converter
  7. Malware Detector
  8. Dataset Generation Pipeline
  9. Pipeline Architecture
  10. Pipeline Components
  11. Extract-Transform-Load (ETL) raw data of Malware and Tools
  12. Dataset Definition Generation from Malware and Tools
  13. Software Container Builder
  14. Image & Mask Converter
  15. Dataset Generation
  16. ...and 10 more sections

Figures (3)

  • Figure 1: The proposed method receives a tarball file as input and transforms it into its equivalent RGB image via the Image Converter. Subsequently, the image is split into patches and a convolutional neural network infers whether the input patch representing part of the file system is compromised by malware.
  • Figure 2: The data generation pipeline constitutes the following steps: (i) parses tools (1) from the APT package manager and malwares from MalwareBazaar, (ii) combines them (2) to a dataset definition, (iii) builds each configuration into a container (3) and exports tarball files from the container snapshots along with network traffic logs, and (v) generates filesystem images (4) along with masks highlighting the malware changes.
  • Figure 3: Qualitative illustration. Each pair illustrates an image and its respective mask. White pixels refer to the bytes compromised by malware activity, whereas the red bounding boxes indicate the patch predicted as malevolent using ResNet18. Not only does our method correctly classify images, but does so by detecting the patch of interest. Our patch-based approach a) explicitly reduces GPU memory required and b) implicitly allows for i) early-exit inference to improve the runtime and ii) explanations for which patches contributed to the prediction.